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Abstract. In this paper we propose a definition and construction of 
a new family of one-way candidate functions TZn '■ Q N —> Q , where 
Q = {0, 1, . . . , s — 1} is an alphabet with s elements. Special instances of 
these functions can have the additional property to be permutations (i.e. 
one-way permutations) . These one-way functions have the property that 
for achieving the security level of 2 n computations in order to invert 
them, only n bits of input are needed. The construction is based on 
quasigroup string transformations. Since quasigroups in general do not 
have algebraic properties such as associativity, commutativity, neutral 
elements, inverting these functions seems to require exponentially many 
readings from the lookup table that defines them (a Latin Square) in 
order to check the satisfiability for the initial conditions, thus making 
them natural candidates for one-way functions. 3 
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1 Introduction 



Almost all known and well established one-way functions and one-way permuta- 
tions in modern cryptography are based on intractable problems from number 
theory or closely related mathematical fields such as theory of finite fields, sphere 
packing or coding theory. For example, the discrete logarithm problem modulo a 
large randomly generated prime number is the Diffic-Hclman proposal in for 
one-way permutations, quadratic residuosity is Goldwasser and Micali proposal 
in |2] and RSA is an one-way permutation candidate based on the difficulty of 
factoring a number that is a product of two large prime numbers proposed by 
Rivest, Shamir and Adleman in [3]. There are also some one-way functions can- 
didates based on sphere-packing problems and coding theory such as the propos- 
als from Goldreich, Krawczyk and Luby in 0|. Constructing one-way functions 
based on the subset sum problem have been proposed by Impagliazzo and Naor 
in [3] . As far as we know, the only attempt to construct a one-way function that 
is completely defined by combinatorial elements is the proposal of Goldreich in 
UJ- The proposal is based on the combinatorial field of Expander Graphs. 

In this paper we construct a new family of one-way functions and one-way 
permutations defined on a finite set Q — {0, I , . . . , s — 1 } with s elements. The 
construction is based on the theory of quasigroups, and quasigroup string trans- 
formations. Our approach in opposite to other approaches, with an exception of 
10] is completely based on a mathematical field not closely related to the field of 
number theory. By some of their properties (such as speed of computation, se- 
curity level of inversion) quasigroup one-way functions outperform all currently 
known one-way candidate functions. 

2 Preliminaries 

Here we give a brief overview of quasigroups and quasigroup string transforma- 
tions and more detailed explanation the reader can find in |7| and [S]. 

Definition 1. A quasigroup (Q,*) is a groupoid, i.e. a set Q with a binary 
operation * : Q x Q — > Q, satisfying the law 



If Q is a finite set then the main body of the multiplication table of the 
quasigroup is a Latin Square over the set Q. A Latin Square over Q is a \Q\ x \Q\- 
matrix such that each row and column is a permutation of Q [7] . 

Next we define the basic quasigroup string transformation called e-transformation: 

Definition 2. A quasigroup e-transformation of a string A — (et , eti, . . . , a]v_ 1 ) £ 
Q N with a leader I £ Q is the function ei : Q x Q N — > Q N defined as B = ei(A) 
where A = (ao, ai, • • • , on-i), B = (bo, &i, • • • , bw-i), I £ Q and 



(Vii, v £ Q)(3! x, y £ Q) u*x — v$zy*u = v. 



(1) 




For better understanding the graphical representation of the e-transformation 
is shown on Fig. ^ 
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Fig. 1. Graphical representation of the e-transformation of a string A = 
(ao, 01, . . . , ajv_i). 



Example 1. Let Q = {0,1,2,3} and let the quasigroup (Q, *) be given by the 
multiplication scheme in Tabled 
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Table 1. Quasigroup (Q, *) 



Consider the string ,4=1021000000000112102201010300 
and let us choose the leader I = 0. Then by the e-transformation eo(A) we will 
obtain the following transformed string: 

e (A) = 132213021302101121113301313 0. 

The four consecutive applications of the e-transformation eo on A are repre- 
sented in Table [3 





1021000000000112102201010300 
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1322130213021011211133013130 


= e (A) 





1232202331322101122203012202 


= e (e (A)) 





1123211201232210111131332300 


= eo(e (e (A))) 





1003222301123221010122032021 


= eo(e (eo(e (A)))) 



Table 2. Four consecutive e-transformations of A with leader 0. 



If we have a string of leaders, we can apply consecutive e-transformations 
on a given string, as a composition of e-transformations. That is defined by the 
following definition: 

Definition 3. A quasigroup E -transformation of a string A = (ao, ai, . . . , cijv— l) £ 
Q N with a string of K leaders L = (Zq, Zi, . . . , Ik_ l) £ Q K * s the function 
El,k '■ Q K x Q N ~^ Q N defined as B — Ei,,k{^) where A — (ao, a\, . . . , a,N-i), 
B = (bg, bi, ... , bpf-i) and 

B = e i K -i( ^Ik-A ■■■Chi e l { A ) )•■•)) (3) 

Definition 4. Quasigroup single reverse string transformation is the function 
■ Q N Q N defined as 

B = n x {A) = E^ N (A) = e M ,(. . . (e ai (e ao (A)))) 

where A — (ao, a\, . . . , on-i) and B = (bo, b\, . . . , 6jv-i)- 

Definition 5. Quasigroup double reverse transformation is the function TZ 2 : 
Q N — > Q N defined as 

B = K 2 (A) = E XA2N (A) = e aN _ l {. . . (e ai (e ao (e CiN _ 1 (. . . (e Ol (e„ (A)))) 

where A = (ao, a\, . . . , on-i) and B = (bo, b\, . . . , 6jv-i). 

Example 2. Let quasigroup (Q, *) be given by the multiplication scheme in Table 
^ Consider the string A = 1 2 3 0. Then by the transformation IZi(A) = 
E-£ 5 (A) we will obtain the following transformed string: IZi(A) =00103 
and by the transformation 1Z 2 (A) = -E== 10 iA) we wn ^ obtain the following 
transformed string: 7^2(^4) = 3 2 2. The calculation's steps are given in 
Table 
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Table 3. TZi(A) and TZ 2 (A) transformation of the string A = 1 2 3 0. 



3 One-wayness from the lookup table point of view 



Both IZi and IZ2 are serious candidates for one-way functions, with the difference 
that the number of computations to invert IZi is 0(s L~J) and to invert IZ2 
it is 0(s N ). In the following two theorems we will prove these claims from a 
perspective of the lookup table (Latin Square) that defines the used quasigroup 
(Q, *). We will discuss later in this section the reasons for this approach. 

Theorem 1. If the quasigroup (Q,*) is non- associative and non-commutative, 
then the number of computations based only on the lookup table that defines the 
quasigroup (Q, *) in order to find the preimage for the function 7t\ : Q N — > Q N 
is O(sL^J). 

Proof: Let B = (bo,bi, . . . ,bN-i) be given. The goal is to find a string A = 
(a ,ai, . . . ,ew_i) that satisfies the equality B = E-± N (A) = E( aN _ u ajv _ 2 ,..., ai , a ) 
Further, because the final values of the string B are obtained after N consecu- 
tive operations e a we will use the following notation: B^ = e aN _ i {B^ ls> ) = 

{b[;\b[ l \ b^_j) for i = {1, . . . , N - 1}, and = A, flW = B. 
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Table 4. Initial table obtained from the values of B — (6 , 61, ... , b^-i) before 
making any guess for the values of A = (ag, a\, ■ ■ ■ , cln-i)- 



Since the quasigroup (Q, *) is non-associative and non-commutative, the com- 
position of e-transformations is fixed and it can not be changed (this is not the 
case if the quasigroup is commutative or associative) . Thus, to solve the inverse 
task in fact we have to fill in the scheme in the Table 01 from bottom up us- 
ing the properties of the quasigroup operation *. As a matter of fact due to 
the properties of quasigroup operation * this scheme can be partially completed 
without guessing any value of A. Namely, from the equation b+ * x = b^l we 
can calculate x = fr-^ -1 ^ for < i < N — 1, then from b\ N ^ * y — we 
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a. Completing the table when 
the value of ao is guessed. 
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b. Completing the table when 
the values of ao and ai are guessed. 



Table 5. 



can calculate y = b i+1 for 1 < i < N — 1, and so on up to the first row of the 

table, where we can calculate the value of 

Now, by knowing (or by guessing) the value of ao that range among s possible 
values we can find value fog , from which we can find the other values in the 
scheme of Table |5ji, together with the value of a^v-i- 

If we continue with choosing a\ from all possible s values we will obtain a 
new value for a^^2- Next, with every choice of at, 2 < i < we will obtain also 
the values for etjv-i-i, and by knowing that we will be in a position to complete 
the upper left corner of the scheme (see Table Eb)- The intersection of the lower 
completed and the upper completed part is for [yj . So by choosing [yj values 
we will obtain other values of the string A. Now, we can check whether we have 
made the right choice for ao, ai, . . . , a^w j or not. Therefore, the complexity of 

inversion of TZi only by using the lookup definition of the quasigroup (Q, *) is 
O(sLfJ). □ 

Theorem 2. // the quasigroup (Q, *) is non- associative and non-commutative, 
then the number of computations based only on the lookup table that defines the 
quasigroup (Q, *) in order to find the preimage for the function IZ2 '■ Q N —* Q N 
isO{s N ). 

Proof: The proof is similar to the proof for the function TZi except that now 
there is no intersection in the process of completing the scheme until the last 
guess for ajv-i is made. Therefore we have to make a guess for all N values 
ao, ai, . . . , ajv-i and thus the complexity of inverting the function IZ2 only by 
using the lookup definition of the quasigroup (Q, *) is 0(s N ). □ 



From previous two theorems we can make the following conjecture: 

Conjecture 1. 1Z\ and IZ2 are one-way functions. 

To support Conjecture 1 we would like to stress that the used quasigroup 
(Q, *) in general will not have any algebraic property such as commutativity, 
associativity, neutral elements etc. Thus, the only possible way to deal with the 
problem of inversion of these functions is to look at the lookup table (or Latin 
Square) that defines the quasigroup (Q, *). 
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Table 6. Schematic representation of the process of computation of the function 
K N . 

Next we will use the function 7\L 2 as a core for defining a family of one-way 
function candidates. The idea is that before applying the function IZ2 on some 
string A of length N, we would like to apply a certain number (polynomial on 
N) of e-transformations with leaders that are some constants from Q or they 
are fixed indexes that address certain letters of the string A. For that purpose 
we will need the following definition: 

Definition 6. Preprocessing string of leaders L = Lq InP ^ n - ) — (l , h, ■ ■ ■ ,lptN)) 
is a string of length that is polynomial of N and where k G Q U In, Q = 
{0, 1, . . . , s — 1} and In = {io, h, ■ ■ ■ ,in-i} in an index set. By convention, L 
can be also an empty string. 

Definition 7. The family Qn of quasigroup one-way functions of strings of 
length N consists of functions TZn ■ Q N Q N such that 

B = K N {A) = ^ L X4,P(AT)+2iv( A ) 

where L is defined in Definition 6, and A, B € Q N . By convention, when apply- 
ing the e-transformations with index leader i.e. lj G In, then e -transformation 
have to be applied with the leader . 



For better understanding, a schematic representation of the process of com- 
putation of the function IZjy is given in Table |H| 

Conjecture 2. The family Qn is a family of one-way functions. 

Example 3. Let chose N = 2 and (Q,*) be as in Tabled If we interpret the 
elements of Q — {0,1,2,3} as two-bit letters {00,01,10,11} then by having 
N = 2 we will define function -E L X4 p(n)+2n(A) from {0, 1, ... , 15} into itself. 
If we chose L = (3, 3, ii,ia), then E^ 3 3 ii ig yj^ 8 (A) is represented in Figure 
[2Ji. Notice that the function is permutation. On the other hand if we choose 
L = (3, 3, io,ii) then we will get a function that is not a permutation. That is 
represented in Figure [5Jd. Particular computations for the string 01 = 1 in both 
cases is shown in Table 
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4 One-way functions v.s. one-way permutations — 
non-fractal v.s. fractal quasigroups 

Having defined families of one-way candidate functions, we are interested in 
which case functions -E L X4 p(n)+2n( j ^) are P ermu tations, and when they are 
not. In this section we will describe our experimental findings that give some di- 
rections for possible mathematical answers to these questions. We hope that this 
paper and the findings presented here will be sufficiently provocative for some 
readers to investigate them further and possibly give some solid mathematical 
explanations. 

There are a lot of classifications of quasigroups of a specific order. Two main 
classifications are obtained by using the algebraic properties of the quasigroups: 
(1) classes of isotopic quasigroups, which are known only for quasigroups of 
orders up to 10 [S] and (2) classes of isomorphic quasigroups [7|. The importance 
of quasigroup classification is noted in many papers that deal with these algebraic 
structures (for example see jU]], [TT]). 



a. (3, 3,ii,io) a. (3, 3,io,ii) 

Fig. 2. Functions obtained by L being a. (3, 3, ii,io) and b. (3, 3, io, i\) 



From the point of view of this paper, classification of quasigroups can be done 
according to the nature of the one-way functions obtained by each quasigroup. 

Since the number of quasigroups increases exponentially by the order of the 
quasigroup, we have made our experiments mainly for order 4 and some of our 
conjectures we have tested also on quasigroups of order 5. The total number of 
quasigroups of order 4 is 576. Our experiments have shown that the set of all 
576 quasigroups of order 4 can be divided into two classes. One class T contains 
192 quasigroups and the other class M T contains 384 quasigroups. If we order 
all quasigroups lexicographically from 1 to 576, then the class T contains the 
following quasigroups: T ={ 1, 2, 3, 4, 5, 7, 9, 11, 14, 18, 21, 24, 25, 26, 27, 28, 
37, 40, 43, 46, 49, 51, 54, 57, 60, 63, 70, 71, 77, 80, 82, 83, 92, 93, 100, 101, 110, 
111, 113, 116, 121, 126, 127, 132, 133, 138, 139, 144, 145, 146, 147, 148, 157, 
160, 163, 166, 169, 170, 171, 172, 174, 176, 178, 179, 182, 185, 189, 192, 196, 
197, 203, 206, 212, 213, 218, 222, 223, 228, 229, 232, 234, 235, 242, 243, 246, 252, 
253, 259, 262, 263, 269, 272, 274, 275, 284, 285, 292, 293, 302, 303, 305, 308, 314, 
315, 318, 324, 325, 331, 334, 335, 342, 343, 345, 348, 349, 354, 355, 359, 364, 365, 
371, 374, 380, 381, 385, 388, 392, 395, 398, 399, 401, 403, 405, 406, 407, 408, 411, 
414, 417, 420, 429, 430, 431, 432, 433, 438, 439, 444, 445, 450, 451, 456, 461, 464, 
466, 467, 476, 477, 484, 485, 494, 495, 497, 500, 506, 507, 514, 517, 520, 523, 526, 
528, 531, 534, 537, 540, 549, 550, 551, 552, 553, 556, 559, 563, 566, 568, 570, 572, 
573, 574, 575, 576}. (By the way, the quasigroup defined in TableQby which we 
have performed examples in this paper has the lexicographic number 355.) 

From numerous experiments that we have performed, we can post the fol- 
lowing conjectures: 

Conjecture 3. For any quasigroup (Q, *) S J- and for every natural number N 
there exists at least one string L such that the function Ejjjj p(n)+2n(A) is a 
permutation in the set {0,1,..., 2 2N — 1}. 

Conjecture 4- For any quasigroup (Q, *) G NT and for every natural number N 
there is no string L such that the function £lX4 p(n)+2N (^) ^ s a permutation 
in the set {0, 1, . . . , 2 2N ~ 1}. 

The classes T and NT have another interesting "graphical" property. Namely, 
if we take the periodic string 01230123 . . ., and treat every letter as a pixel with 
the corresponding color, then by consecutive application of e-transformations 
with any constant leader I the set of 576 quasigroups can be divided into two 
classes: A class of quasigroups that give self-similar i.e. fractal images, and the 
class of quasigroups that give non self-similar images. As an example on Figure 
IHt we show the image obtained by the quasigroup number 46, and on Figure [Hp 
the image obtained by the quasigroup number 47. 

In one can find the same classification but instead of terms "fractal" 
and "non-fractal" classes of quasigroups they are named by an other property 
of them - a class of linear and a class of exponential quasigroups. In the same 
paper it is mentioned that when the order of quasigroup increases, the number of 
fractal (linear) quasigroups decreases exponentially compared to the number of 



a. 



b. 



Table 8. The images obtained by consecutive e-transformations with the quasi- 
groups of order 4 with lexicographic numbers 46 and 47. The transformations 
are done on a periodic string 01230123 . . . 0123 with the length 600 and with the 
leader 0. 



non- fractal quasigroups. An additional classification that is close to the fractal - 
non-fractal classification can be found in |11| and an excellent survey for many 
types of classifications of quasigroups is done in • 

It is really amazing how our experimental findings about the fractal - non- 
fractal classification of quasigroups comply with the classification of quasigroups 
that give one-way permutations and one-way functions. An open problem is to 
investigate the relation between these two classifications. Here even without 
precise definition of what "fractal" quasigroup would mean, we just give the 
following conjecture: 

Conjecture 5. The classes of fractal quasigroups and quasigroups for which there 
is a permutation E^-fij p , N *. +2N (A) coincide. 

5 Some comparative analysis for the quasigroup one-way 
functions 

In this section we would like to set the following convention: For a random oracle 
in the sense of Rudich and Impagliazzo works on one-way functions (HH, |16p. 
we will take any quasigroup (Q, *) of order s together with the family Qn of 
one-way functions that can be defined by that quasigroup. 

Rudich in his PhD thesis based on a combinatorial conjecture (which 
was proved in 2000 by Kahn, Saks and Smith in concluded that there 

exist oracles for which there exist one-way functions, but there are no one-way 
permutations. That is in perfect compliance with our case of quasigroup one-way 
functions. If the oracle (quasigroup) is non-fractal, our Conjecture ^ says that 
there are no strings ~Lq,i n ,p(n) such that the function E^-jj p ^ +2N (A) is a 
permutation. 



Impaliazzo and Rudich in |16| showed that "There exist an oracle relative to 
which a strongly one-way permutation exists, but secure secret-key agreement 
is impossible." That is again in compliance with quasigroup one-way functions. 
Namely, since quasigroup one-way functions rely on combinatorial characteristics 
of the quasigroups, in general there are no evident "shortcuts" and properties 
that will define a trapdoor function, that will enable secure secret-key agreement. 

Quasigroup one-way functions are strong one-way functions i.e. there is only 
a small set of values on which they can be inverted in polynomial time. Thus, 
security amplification of a weak one-way function by an iterative process, that 
was established as a very useful technique in the work of Yao in 1982 JJj is 
not necessary for quasigroup one-way functions. This means that the speed of 
computation of quasigroup one-way functions can be very high. Additionally, 
since the computations are done consecutively, they can be parallelized in a 
pipeline, and then the computation of the function can be done in time 0(P(N)). 
Some initial applications of quasigroup one-way functions and their properties to 
be easily parallelized are already done in definition of the stream cipher Edon80 
|18| . In that stream cipher the IVSetup procedure is in fact a sort of quasigroup 
one-way function. 

From Theorem 2 it follows that quasigroup one-way functions can achieve the 
level of security of 2™ attempts to invert the function with the length of the input 
being n bits. That is most efficient construction as far as we know compared to 
other candidate one-way functions that require from In to lOn input bits to 
reach the security level of 2™. 

The last property of quasigroup one-way functions that we want to mention 
in this paper, and that is similar to the properties that have been already found 
in other one-way functions is the property of a one-way function to be regular i.e. 
that have equal number of inversions on every point of their codomain. Namely, 
in [F3\ and [20] techniques for obtaining 1-1 one-way functions are proposed if 
the one-way function is regular. In our numerous experiments, every time when 
we have used fractal quasigroup, the obtained one-way functions were either 
permutations or regular ones. The example that we show on Figure |2t>. is an 
example of a regular function, where every point of its codomain has exactly 
two inversions. It would be a challenging task to apply the same techniques to 
quasigroup one-way functions. 

6 Conclusions and further directions 

In this paper we have given a formal definition and construction of a new family 
of one-way functions and one-way permutations. They are based on quasigroup 
string transformations, and have numerous interesting properties. By some of 
those properties (such as speed of computation, security level of inversion) they 
outperform all currently known candidate one-way functions. 

Many of our results concerning these functions are still experimental, and 
thus we have set up several conjectures about them. We hope that the intriguing 



experimental results mentioned in this paper about the new family of one-way 
functions will be interesting enough to attract attention of other researchers. 
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